FakeBat, a notorious malware strain, continues its spread through multiple ongoing malvertising campaigns. Notably, the threat actor behind FakeBat employs MSIX installers containing heavily obfuscated PowerShell code, utilizing various tactics to evade detection. These tactics include abusing URL shorteners, leveraging legitimate websites, and impersonating diverse brands like OneNote and Epic Games. Despite efforts to report incidents to Google, FakeBat’s persistent presence underscores the challenges in combating sophisticated malware distribution methods.
The malvertiser responsible for distributing FakeBat consistently adapts its tactics, experimenting with different URL shortener services and employing new redirectors to bypass security checks. Moreover, recent campaigns showcase a broader range of targeted brands, indicating a strategic shift in the threat actor’s approach. By impersonating various software brands and utilizing legitimate websites, the attackers aim to deceive victims and evade detection mechanisms, posing significant risks to businesses and users alike.
Each malicious download associated with FakeBat is packaged as an MSIX installer signed with a valid digital certificate, enhancing its credibility and further complicating detection efforts. Upon execution, the installer executes a PowerShell script, connecting victims to the attacker’s command and control server. Despite the presence of security measures like ThreatDown EDR, FakeBat’s persistent evasion of Google’s security checks highlights the need for proactive cybersecurity measures and ongoing vigilance to mitigate the threat posed by malvertising campaigns.
